[PATCH v1] mfd: mt6397-irq: Fix PM notifier use-after-free
최유호
dbgh9129 at gmail.com
Wed Jun 17 18:53:08 PDT 2026
On Wed, 17 Jun 2026 at 11:26, Lee Jones <lee at kernel.org> wrote:
> [Severity: High]
> Is it safe to explicitly remove the IRQ domain here while the devm-managed
> parent threaded IRQ remains active?
>
> The parent IRQ was requested earlier via devm_request_threaded_irq(). Because
> devres cleanup does not run until the probe function completely fails and
> returns, the parent IRQ remains active and enabled during this window.
>
> If an interrupt triggers during this error path, the active IRQ handler
> mt6397_irq_thread() will execute and call mt6397_irq_handle_reg(). This in
> turn calls irq_find_mapping(), which will dereference the freed irq_domain,
> resulting in a use-after-free.
Thanks for pointing this out. Findings 1 and 3 look like pre-existing
issues. Finding 2, however, appears to be related to the error-path cleanup
I added.
I will rework the patch so the notifier and irq_domain cleanup ordering is
handled consistently.
More information about the Linux-mediatek
mailing list